Do Your Cloud Apps Need a CNAPP?
Cybersecurity is already infamous for its obsession with acronyms. One list compiled by DoD Cyber Exchange counts 309 different security-related acronyms. Another list published by the National Institute of Standards and Technology (NIST) counts — well, I lost count, because it’s more than 25 pages long.
Regardless, it’s time to add another to those lists: CNAPP, short for cloud native application protection platform, the newest acronym in the cybersecurity realm.
While IT and cybersecurity pros can be forgiven for some acronym fatigue, what CNAPP represents is vital as both applications and infrastructure grow increasingly diverse and distributed.
“The security complexity around cloud native applications is constantly rising as organizations scale their Kubernetes clusters, applications and developer teams,” Bruno Andrade, CEO at Shipa.io, a cloud native Application as Code platform, told The New Stack.
“This directly feeds into the need for broader security workflows that can address different security levels across various applications. It’s no small task.”
So, what’s a CNAPP, exactly? We’ll get there in a moment. First, a very quick recap of how we got here.
The Road to CNAPP
Almost as quickly as cloud became a major trend, cloud security followed suit.
First, there was the prevalent (and inaccurate) idea that the cloud was inherently less secure than your own data center.
That eventually gave way to the more pragmatic and realistic assessment that the cloud could be plenty secure. (In fact, as the major cloud platforms matured, it became reasonable to argue that the cloud was more secure than many on-premises environments.) It just required some new ways of thinking about “old” security issues, from user privileges to perimeter security (and the very definition of a “perimeter”), to vulnerability scanning and more.
Today, that evolution continues as the cloud native ecosystem explodes with diversity in terms of applications, tools, and environments. As containerization, microservices architecture, hybrid cloud and multicloud have become commonplace, “security in the cloud” more likely means “security in the clouds.”
“As containers and cloud native deployments expand and become more critical to enterprise business logic, the security concerns evolve to focus more on multicluster, multicloud security where automation, security as code, supply chain and other requirements become critical,” said Glen Kosaka, head of product security at the enterprise open source developer SUSE.
Processes (and workarounds) that might be fine for a small deployment — manual configurations, point security solutions, and so forth — become big headaches and big security risks as you scale. As environments and workloads expand, the task of monitoring and securing them grows more and more complex.
What Is a CNAPP?
Enter the CNAPP: The term itself is credited to the analyst firm Gartner. While you can quibble over specific definitions, the core concept remains the same: a cloud native application protection platform brings the otherwise disparate tools, technologies and data required for a holistic approach to cloud native security into a single place.
A CNAPP commonly comprises several other technologies, including cloud security posture management (CSPM), cloud workload protection platforms (CWPP), cloud infrastructure entitlement management (CIEM), and CI/CD security. (If acronyms alone could thwart attackers, cybersecurity firms would go out of business tomorrow.)
The point, and the reason CNAPPs exist in the first place, is to recognize and more effectively solve the challenges of securing cloud native workloads — that are often scaling up and down automatically — across myriad different environments.
“Cloud security is basically a three-layered problem,” said John Morello, vice president of product at global cybersecurity provider Palo Alto Networks. Here’s the quick rundown of those layers, according to Morello:
- Classic security. This is the stuff that has more or less always existed, long before cloud: “mantraps” and other physical security in a data center, SOC and other regulatory compliance, hypervisor security, and so forth. When you use cloud infrastructure, the vendor is primarily responsible for this layer.
- Posture management. This encompasses all of the security configurations of your various services.
- Workload protection. While cloud has implications for each of these layers, cloud native applications have created considerable new complexity at this layer, given the ephemeral, scalable nature of containers, multiple operating systems, multiple environments, and so on.
Indeed, Morello pointed out that there’s a temporal or time-based dimension to all of this in the cloud native era, too, as applications autoscale up and down, and code ships faster and more frequently than ever before.
Monitoring and securing cloud native workloads with a hodgepodge of point solutions, policies, and data sources is untenable — and likely to increase your risks.
“When you have highly automated application pipelines with CI/CD, how do you get the visibility and protection needed when application workloads can scale up and down instantly across hosts, clusters, and even cloud providers?” Kosaka said.
That’s the value proposition of a CNAPP: It brings everything you need to tame the complexity of cloud native security into a single view. As a result, it also wrests some control back from your providers — while their own security still matters, a CNAPP is a recognition that the buck still stops with you.
“CNAPP platforms provide specialized visibility and protection for modern applications, and are ultimately the responsibility of the enterprise, not a cloud provider, to deploy to protect their sensitive data and to maintain the health of workloads,” Kosaka said.
There appears to be growing sentiment that the CNAPP is a positive trend given the massive growth of cloud native application development — and the new challenges that brings to organizations and their security teams.
“The key benefit of CNAPP is bringing a holistic, integrated and seamless view across the elements that influence security of an application,” said Yugal Joshi, analyst at the tech research firm Everest Group. “This allows an enterprise to continue their cloud adoption journey by building native workloads and not getting bogged down by security implications.”
Effectively securing cloud native workloads is a complex, time-consuming and expensive proposition today, according to Joshi. CNAPPs attempt to reduce each of those areas of friction.
Does My Cloud App Need a CNAPP?
The practical answer is, as usual: It depends. If you’re still testing the cloud native waters or just managing a single cluster, probably not. But managing containerized workloads at scale — especially across multiple clouds and/or on-premises environments — quickly becomes a much more complex security picture.
DevOps teams already struggle with making the “shift left” concept — i.e., moving security to the earliest phases of the software development pipeline, rather than as a final check before production — a practical reality, according to Kosaka. Add in bigger-picture trends (or mandates, in some organizations) like zero trust security strategy, and things continue to get more complicated.
The CNAPP is essentially a security response to the general IT trend of everything becoming more granular and more distributed. And we’re well past the point of no return in that regard.
Security in this context isn’t for the faint of heart. As Andrade, the Shipa CEO, said, it’s no small task. A malware scan here and a firewall there won’t quite cut it.
“While security scanning is critical, teams must now address additional requirements,” Andrade said, such as role-based access control (RBAC), how applications are exposed, where images come from, resource consumption, etc.
“The next wave of CNAPPs should enable users to address these — and evolving — security requirements at scale. And they really need to do so regardless of the underlying infrastructure components chosen as part of the cloud native architecture.”
Morello, of Palo Alto Networks, said you don’t have to worry about dogmatic advice here.
“Don’t get overly wrapped up in the tooling — there’s no single tool that’s going to solve all your problems,” he said. The point is that you need a comprehensive approach, and that’s what a CNAPP aims to provide.
If you’re in the beginning stages of wrapping your head around cloud native security, Morello recommends brushing up on some of the accepted industry standards, such as the NIST Cybersecurity Framework. (Morello co-authored NIST 800-190, “Application Container Security Guide.”)
Put another way: we don’t need another security acronym, but cloud native environments increasingly need something like a CNAPP — a holistic, integrated approach to securing inherently disparate, distributed workloads and environments.